IBM Support

PM63508: TRUST CLIENT MAY APPLY WRONG POLICY SET AND/OR BINDINGS

Fixes are available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When more than one trust clients are configured to use the
    same STS endpoint and those trust clients are configured to
    use different WS-Security policy sets and/or bindings, the
    policy set and bindings that are applied to one or more of the
    trust client calls may be incorrect.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server V7.0 users *
    *                  of WS-Security enabled JAX-WS applications  *
    *                  and SAML                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: Incorrect policy set and/or bindings    *
    *                      may be applied to a trust client        *
    ****************************************************************
    * RECOMMENDATION:  Apply a fix pack that contains this APAR.   *
    ****************************************************************
    There are instances when an incorrect policy set and/or
    bindings may be applied to a trust client.
    When a scenario requires that more than one policy set and/or
    bindings be applied to the same endpoint, the policy and/or
    bindings that are applied to the endpoint is undetermined.
    For instance, consider the following flow in a single
    application:
    An inbound token is validated: A UsernameToken with a password
    is sent to an STS
    Then a token exchanged: A UsernameToken without a password is
    sent to the same STS endpoint
    Each of these communications can use the same policy but would
    require different bindings in order to configure the
    UsernameToken generator to send the UsernameToken without a
    password.
    Given this scenario, the trust client will apply the first
    policy and bindings properly.  However, the second will not.
    

Problem conclusion

  • The WS-Security runtime is updated so that it is able to use
    different policy sets and bindings for trust clients that use
    the same STS endpoint.
    
    This APAR requires Web Services APAR PM63637 in order to be
    fully-functional.  Applying this APAR by itself will not
    adversely affect the WS-Security runtime.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 7.0.0.25.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM63508

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-04-27

  • Closed date

    2012-05-18

  • Last modified date

    2012-05-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 October 2021